In my previous post I wrote about blocking China because a lot of SQL Injection/XSS attacks against my customer servers originated from there. In this post I will write about some other steps we took to protect the servers.
From log files we were able to determine that computers there are part of zombie network were passing following URL against the web servers:
After analyzing this URL we determined few optional strings to block. Here are some of them:
- "declare @s char("
Not seen in above encoded URL is also string "script src=http://" which we also decided to block
I decided to block above strings on ISA Server that is in this case front end firewall. I opened ISA Server Management console and right clicked on the publishing rule for the server that was getting attacked. Here I selected "Configure HTTP" (picture below).
Here we select "Signatures" tab and select the "Add" option (picture below)
Here we can now enter strings that we identified earlier and we want to block when they appear in the URL (picture below)
After clicking OK we can preview entered strings (picture below)
We also added another filter under "General" tab. URL in our example is very long (over 1300 characters) and we decided to limit how long the URLs passed to our web servers can be. Instead of default 10240 bytes we decreased the value to 512 bytes which will more than accommodate our needs (picture below). URL requests longer than 512 bytes will be blocked.
When URL matching any entered filters ISA will block the request before it reaches the potentially vulnerable web server (picture below).
Note: This was never meant as permanent cure for SQL Injection or XSS attacks. We did this just as a precaution and to buy some time to check the web applications for any vulnerabilities!